Your website is a huge part of your identity. When it comes to protecting your identity, is there ever enough security? Well, it depends.

This article is going to explain how to add a host hardening layer of protection by password protecting the WordPress login script, the “wp-login.php” file — all for free.

To better understand the task at hand, “wp-login.php” is a special login script associated with logging into WordPress. A brute force “password knowledge” attack is going to start by navigating to “www.yourdomain.com/wp-login.php”. Once there, the attacker will have the option of logging directly into your WordPress host.

As with any lock, the goal here is to make it just a little more difficult for the attacker. In this case, we’ll password protect the WordPress php login script itself. In this way, the attacker will have to circumvent the file system’s password protection before even being presented the opportunity of circumventing wp-login. It is just yet another step to reduce the number of driveby attacks.

Here are the steps to wrapping wp-login.php with file system protection:

1. Update .htpasswd file

The .htpasswd file is the password repository. For those familiar with Unix based systems, it is similar in structure to the old school /etc/passwd file, with each line affiliated with a single user. Here’s the process to update the .htpasswd file.